Enterprise Security Configuration




The Enterprise Security Configuration defines your basic password settings and protocols.

It is divided into four (4) functional areas that affect different protocols:

How to Configure Your Enterprise Security

To Configure Your Enterprise Security:

  1. From the Launch Pad, click the System Configuration icon in the left navigation panel.
  2. In the Enterprise & Business Unit Setup section, select Enterprise Security Configuration.

Password Settings

You can use the up and down arrows to select, or simply enter, a value in each of these four (4) fields.

  1. If you would like to allow permanent passwords for Users, select the Allow Permanent Password check box (See Below).
  2. Select or enter how many days before a password expires in the Password Expiration Duration in Days field.
  3. Select or enter the number log-in attempts a user can make before they are denied access to the system (See Below) in the Consecutive Password Failures field.
  4. Select or enter the Minimum Password Length. The minimum password length in MosoMRM is eight (8) characters.
  5. Select or enter the Pin Code Minimum Length. The minimum password length in MosoMRM is three (3) numbers.
    Password Settings.

If a staff member or user exceeds the amount of log-in attempts, they are locked out of the system. Only a user with System Administrator permissions can reinstate their account and password. This is also done in the User Access tab on their Employee Profile.

If you selected the Allow Permanent Password check box, the Password is Permanent check box in the User Access tab on the Employee Profile is automatically activated when adding or editing a staff member or user. Both of these check boxes must be selected for an individual to have a permanent password.

Password is Permanent check box is selected in the user's account page

Application Keys

The API Key is used to give you the ability to connect to Moso myClub and other API applications.

The API Key is generated to protect your application from unauthorized users and your Members from identity fraud.

Click the Regenerate button to generate the API Key and Private Key (see API Key section below). You would also click this button to reset the value and then click the Save button.

  • They are both string values that are non-inherited and non-editable.
  • They should strictly be set or regenerated by the System Administrator ONLY.
  • If they are invalidated and reset, all log-ins, permanent log-ins, and any outstanding password change requests will be invalidated.
    Application Keys Settings.

VERY IMPORTANT: It is strongly recommended that you only regenerate these keys, especially the Private Key, in the event of a potential security breach in your Enterprise. Regenerating these keys would protect you against the breach but would break existing links and code.

Delegated Authentication

These features are set at the Enterprise level ONLY. Click the links below for more information about each feature

  1. Enter your domain name in the Delegated Authentication Login URL field.
  2. Enter the Delegated Authentication Logout URL. This designates which URL you will be directed to when logging out of an authenticated session.
  3. Enter the Client Heartbeat URL. This feature gives you the ability to keep sessions from timing out when in an authenticated session.
    Delegated Authentication Settings.

Network Security

The Access-Control-All-Origin field filters requests (API calls) coming and going through through your domain. In this field, enter either:

  • A website domain value. If you enter a specific site, only requests (API calls) from that specific domain will be honored.
  • The "*" character. If you enter this character, requests from ANY domain will be honored.
  • Leave it empty (recommended). By leaving it empty, only requests from your OWN domain will be honored.
    Network Security Settings.

VERY IMPORTANT...This field is not required and can cause major security problems if not administered properly. This feature should only be used by and administrator who understands API calls and the potential implications to their application.

Network Security Restrictions

The Network Security Restrictions feature allows you to configure a range of IP Addresses that will have access to the network. This feature compliments the Delegated Authentication URL feature.

System Administrator and Manager can be exempt from these restriction if their Work Roles are configured accordingly.

To Configure Network Security Restrictions:

  1. Click Network Security Restrictions link. The Allow IP Subnets pop-up displays.
  2. Click the Add button.
  3. Enter the Subnet Mask using CIDR notation (Required).
  4. Enter a brief Description in the text box.
  5. The Active check box defaults to selected.
  6. Click the Save button.
    Configuring Network Security Restrictions.

Next Step?

NEXT STEP: General Configuration..........Previous Step: Data Security

And remember to set your Screen Security when you get to the next page!

Technical Information


This setting is only applicable, and is required, if you are using the Moso myClub member portal. This setting is what makes the connection between MosoMRM and Moso myClub. If you are not using Moso myClub this setting is not required.

Private Key

The Private Key is used in Moso myClub for password change or reset requests. When the request is made, an email is generated with a link. When you click that link, if the values from that link match the values from the request that was sent, MosoMRM} allows you to reset the password. This is all done to prevent someone from randomly generating a "token" and requesting a password reset.

(NOTE: This entire process is done on the back end through a series of "tokens" being generated from hashing database values, specifically the Role ID.)

Delegated Authentication Log-in URL

The Delegated Authentication Log-in URL is part of PCI Compliance and gives you the ability to set up a specific site (URL) that validates against your active directory or network site. This in turn, allows for a single sign-on to any local Workstation or network using a single network password instead of your standard credentials.

You should have the following prerequisites to use this feature:

  1. An administrator that understands the basics of how to use and set up Internet Information Services(IIS). (REQUIRED: Only a "Super User" i.e a System Administrator, can set up this feature.)
  2. A website that is hosted internally.
  3. A Lightweight Directory Access Protocol (LDAP) server

MosoMRM will provide you with a "LdapLogin.aspx" URL (see Screen Shot above) and you will host this page on your own server.

This feature is also used in combination with a Virtual Private Network (VPN) giving you the ability access MosoMRM externally. These settings restrict who, and from where, your MosoMRM application is being accessed.

To have access to, or bypass, this feature, you are required to enable the Network Security Settings for your designated Work Role.

(NOTE: You may be redirected to a separate page hosted by a 3rd party for some of the specific setup instructions.)

Delegated Authentication Log-Out URL

This feature gives you the ability to redirect any logged in Users in an Authenticated session to a specific URL when logging out.

The URL you enter must be http or https and can be set at the Enterprise level ONLY. Typically when logging out of MosoMRM, you are directed back to the standard MosoMRM Log-In page. When using this feature however, you are directed instead to the URL that you specify in Enterprise Security Configuration.

Client Heartbeat URL

The Heartbeat URL gives you the ability to keep sessions from timing out in an authenticated session. The Heartbeat URL is set at the Enterprise level ONLY. In turn, MosoMRM sends a request ("pings") every 60-seconds to the URL you specify in this configuration for the purpose of keeping any or all remote sessions alive without interruption.


In order to securely support Cross Origin Resource Sharing (CORS) requests to the MosoMRM API, the Access-Control-Allow-Origin value must be set in the response header as per RFC standards.

This field is a string value and allows for an empty/null value (default). If you use this default value, only same domain origin requests will be passed through the header i.e API calls from your own domain only. If you enter the "*" character, ALL origin domains will be passed through the header.

For API controller responses only, add the "Access-Control-Allow-Origin" header key and value to the HTTP response. Do this only when the configuration setting is not empty.

The setting value also supports multiple origin domains via a comma-delimited list in the settings value. Because of a limitation in the HTTP header specification only one value can be set in the response. To work around this, MosoMRM} inspects the incoming request origin and if it matches a value in the comma-delimited list, the request header value is echoed back in the response header. This is accomplished from the HTTP_ADDR server variable.

Related Information

Enterprise & Business Unit Setup

Check-In & Activity Configuration
Client Account Configuration
Employee Configuration
Enterprise Configuration
Enterprise Security Configuration
Financial Configuration

General Configuration
Notification Configuration
Template Configuration
Member Configuration
Organization Configuration

System Configuration
The MosoMRM User Interface
The MosoMRM Glossary
Setting Up Your MosoMRM System
The MosoMRM Modules
Operation Security
Feature Security

Rentals Configuration | Enterprise & Location Setup | Inventory, Activities & Related Settings | Data Management | Financial | Sales & Prospecting | Workstations & Devices | Employees & Staff | Tax | Scheduler | Childcare Configuration & Settings | System Maintenance |